Windows 10 PPTP Split-Tunneling

Ok, yes, PPTP should no longer be used. But sometimes it is easy to connect to a remote network.
In Windows 7 and 8 you could activate split-tunneling quite easily by going to the newly created adapter and edit the IPv4 settings and uncheck “Use the Gateway on the Remote Network”.

Windows 10 did not seem to allow me to edit those settings. I could click the properties button but nothing came up… Strange…

Anyways, a quick and dirty fix is this PowerShell oneliner. Just replace “ADAPTER_NAME” with the name of your VPN connection and you are all set:

Set-VpnConnection -Name "ADAPTER_NAME" -SplitTunneling $True -PassThru

The output is something like this:

PS C:\Users\open-sourced> Set-VpnConnection -Name "ADAPTER_NAME" -SplitTunneling $True -PassThru


Name                  : ADAPTER_NAME
ServerAddress         : 192.168.1.20
AllUserConnection     : False
Guid                  : {6A0F30B1-040E-4886-A5AD-2547A962A96C}
TunnelType            : Pptp
AuthenticationMethod  : {MsChapv2}
EncryptionLevel       : Optional
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0

Systemd with bash script

To load my firewall rules I have always used a init script containing all my iptables rules.
However with the switch to systemd in Debian Jessie things have changed a bit.

create a service file in /etc/systemd/system. In my case this is /etc/systemd/system/firewall.service

[Unit]
Description=Firewall

[Service]
Type=oneshot
ExecStart=/bin/sh /scripts/firewall.sh start
ExecStop=/bin/sh /scripts/firewall.sh stop
ExecReload=/bin/sh /scripts/firewall.sh restart
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Important here are the Type and RemainAfterExit parameters. Also don’t forget /bin/sh or /bin/bash if you are executing a script !

Next enable and start the service

systemctl enable firewall.service
service firewall start

Update ESX 5.x to 5.5 using the CLI

To avoid using VUM or PowerCLI to upgrade your host you can simply use The vmWare online repository.
The commands below have to be executed via SSH (enable this in your security profile and start the SSH server)

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-1331820-standard

VMware vCenter server behind NAT

Some of you might be running a vCenter server behind a firewall / router performing NAT. If this is the case you might have encountered issues with external ESX hosts.
the vCenter ‘polls’ the hosts every 20 – 30 seconds to see if the host is still alive. If you are behind NAT the hosts will respond to this heartbeat but will send the response to the internal IP of your vCenter server.

To tackle this issue simply set up port forwarding on your router / firewall for udp port 902 and edit /etc/vmware/vpxa/vpxa.cfg
Look for the line with serverIp

<serverIp>192.168.1.100</serverIp>

This will contain your internal IP of the vCenter server.
Change this line with your external IP and add the folowing line below:

<preserveServerIp>true</preserveServerIp>

restart the services

services.sh restart

and reconnect the host in your vCenter server. You might get a warning that this host is currently managed by … . You can safely ignore this warning.

Reference: VMware KB1010652

Postfix as backup MX

Redundancy is very important these days, specially for a highly used medium such as mail. Luckily you can set up something as a “backup MX”.

Normally when person a sends a mail to person b the mail-server will search where to deliver the mail trough DNS (MX record) . When we add multiple MX records we can either perform load-balancing trough DNS or set up a secondary mail-server in case that the primary goes offline.

Here I will explain how to quickly set up a backup mail-server that will keep the mails until the primary mail-server is reachable again.

First and for all we need to create a 2nd MX record. An MX record exists out of 3 parts:

  • Domain where the mail-server is for
  • The mail-server where to send the mail to
  • The priority of this MX record

it is with this priority that we specify load-balancing or backup.

vincent@testbox:# dig +short domain-a.local MX
  10 primary.domain-a.local.
  20 secondary.domain-a.local.

The dig command shows us 2 DNS records for domain-a.local.

I assume that the mail-server primary.domain-a.local is already properly set up to receive mails. For the secondary a basic postfix installation is sufficient. All we need to do is add the following line to “/etc/postfix/main.cf”

relay_domains = domain-a.local

If you have multiple domains where you need to be a backup of just add them in the same line (comma seperated).

relay_domains = domain-a.local, domain-b.local, domain-c.local

save and exit and reload postfix

vincent@testbox:# service postfix reload

That it ! When the primary mailserver is offline mail will be sent to the next MX record according to the priority. The backup MX will accept the mail and try to send it to the primary mailserver. Untill this is successfull the backup MX will keep the mail in his queue.

Important note!
Do NOT list the relayed domains in the “mydestination” line in main.cf on the backup mailserver. When you do this a local delivery will be attempted.

Installing ESXi with less than 4GB of RAM

I have an old desktop computer here that I would like to use for my ‘home lab’. Its an old dual core with 4GB of RAM. Ok, I know this isn’t much but for some linux virtual machines this is enough.

I used PXE to boot the VMware ISO, went trough the first steps and then I got the error that my host only had 3.89GB of memory and a minimum of 4 was required.

So I started googling to see if it was possible to bypass this check and guess what:

Press alt+1 to go to the console. Use username root without a password to log in and execute these commands:

cp /usr/lib/vmware/weasel/util/update_precheck.py /usr/lib/vmware/weasel/util/update_precheck.py.old
rm /usr/lib/vmware/weasel/util/update_precheck.py*
vi /usr/lib/vmware/weasel/util/update_precheck.py.old

Type “/MEM_MIN” to jump to the rule that calculates the requirement. move over the “4” press “r” ( vi replace command ) and type in “2”. Now press “:wq” to save and exit.

cp /usr/lib/vmware/weasel/util/update_precheck.py.old /usr/lib/vmware/weasel/util/update_precheck.py
ps -C | grep weasel
kill -9 PID_OF_PROCESS

now press alt+2 and install ESXi.

Source

Cisco: VLAN(s) not available in Port Manager

Most of you will know that on cisco switches VLAN id’s 1002 – 1005 are reserved for backwards compatibility.

1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

What I noticed today is that on some cisco systems (like f.e. Catalyst 4500) use a VLAN for traffic to a routed port. These VLAN’s start from 1006.

You can check which VLAN’s are in use for routed switchports by using the command “show vlan internal usage”.

switch#show running-config interface GigabitEthernet0/1
!
interface GigabitEthernet0/1
 description Routed
 no switchport
 ip address 192.168.0.1 255.255.255.0
end

switch#show vlan internal usage

VLAN Usage
---- --------------------
1006 GigabitEthernet0/1

When you really need to use a VLAN id used by a routed port you can do this by disabling the routed port, creating the vlan and then enabling the routed port again. Be aware that the switch will use the next VLAN in line.

switch(config)#int Gi0/1
switch(config-if)#shut
switch(config)#do show vlan internal usage

VLAN Usage
---- --------------------

switch(config)#vlan 1006
switch(config-vlan)#exit
switch(config)#int Gi0/1
switch(config-if)#no shut
switch(config-if)#exit
switch(config)#do show vlan internal usa

VLAN Usage
---- --------------------
1007 FastEthernet0/24

open-sourced.be

Welcome to open-sourced.be,  once again an attempt to keep a blog which contains usefull how-to’s about networking, security, linux, etc … .

During the next few days and weeks you might notice some things changing like new plugins being added etc. The site is brand new, so I’m not sure yet how I want it to evolve.